Earth Lusca, an elusive threat actor, has been seen carrying out attacks on various organizations across the globe. According to Trend Micro the attackers are after sensitive information and monetary profits.
“The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others,” Trend Micro researchers said in a new report. “However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.
According to the cybersecurity company, the group is part of a larger China-based network known as Winnti, which is focused on gathering intel and intellectual property theft.
Earth Lusca uses spear-phishing and watering-hole attacks to infiltrate its targets. It also relies on various vulnerabilities in products like Microsoft Exchange ProxyShell and Oracle GlassFish Server to perform its attacks.
The group has been known to deploy various types of tools and malware, such as Cobalt Strike, Doraemon, ShadowPad, Winnti, FunnySwitch and web shells like AntSword and Behinder.
Initially a tool for security researchers, Cobalt Strike has become a preferred tool for cybercriminals wanting to conduct remote code execution.
While “the revenue earned from the mining activities seem low,” the researchers noted that the perpetrators are still incentivized to carry out these activities.
According to the company’s telemetry data, Earth Lusca targeted organizations that have strategic interests in China:
Gambling companies in Mainland China, Government institutions in Taiwan, United Arab Emirates, Mongolia, Thailand, Philippines, Vietnam, and Nigeria, Educational institutions in Taiwan, Hong Kong, Japan, and France; COVID-19 research organizations in the U.S.; News media in Taiwan, Hong Kong, Australia, Germany, and France; Pro-democracy and human rights political organizations and movements in Hong Kong; Telecom companies in Nepal; Religious movements that are banned in Mainland China; and cryptocurrency trading platforms.
Besides cyberespionage, the group is also capable of carrying out other dangerous activities due to its tried-and-true techniques.
“Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. However, the group still primarily relies on tried-and-true techniques to entrap a target,” the researchers said.
“While this has its advantages (the techniques have already proven to be effective), it also means that security best practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact — or even stop — an Earth Lusca attack.”